[117738] in Cypherpunks

home help back first fref pref prev next nref lref last post

Re: laughable CAPI recovery designs

daemon@ATHENA.MIT.EDU (Adam Back)
Thu Sep 9 16:51:06 1999

Date: Thu, 9 Sep 1999 21:17:14 +0100
Message-Id: <199909092017.VAA21889@server.cypherspace.org>
To: cypherpunks@cyberpass.net
Cc: cryptography@c2.net
From: Adam Back <adam@cypherspace.org>
In-reply-to: <199909091700.TAA06316@mail.replay.com> (message from Anonymous
	on Thu, 9 Sep 1999 19:00:11 +0200 (CEST))
Reply-To: Adam Back <adam@cypherspace.org>


Anonymous writes:
> >(Though one supposes it is within the bounds of possibility that the
> >NSA key has two functions: where it could also used to sign
> >operational key replacement patches.  However in that case you would
> >have expected some attempt to prevent replacement of the NSA key, but
> >we know that there is no authentication for replacing the NSA key --
> >you can just patch it out.)
> 
> Accoring to your assertions you just proved that the use of this key is not
> a very high security priority, giving the lie to the possibility it is used
> to insert black crypto modules!

Indeed, however the argument went:

Adam> "I think A"
Adam> "(I suppose B is within the bounds of possibility.  But it seems
Adam> unlikely because of C)."

Anon> "C is unlikely therefore A is untrue"

which does not logically follow, because A is a separate argument not
depending on premise C.  It would be true to say "C is unlikely
therefore B is probably not true", but that is what I said.

> >So in summary I conclude that Microsoft is just blowing smoke.  The
> >key is NSA's, and is either intended for Info War purposes, or for
> >their own use, or both.
> 
> See my previous comment: your conclusion is in no way supported by the facts!

I think NSA asked them to insert the NSA key.  They did it.  They did
it very poorly, but if NSA wants it for Info War purposes, why should
they care.  Microsoft does most things poorly, so this is to be
expected anyway.

> >I think if Microsoft were in the clear, the best PR
> >approach would be to just let BAL do the press release.  
> 
> Microsoft did, didn't they?  They're not going to have the project manager
> put out a press release!  I don't know why I'm taking the time to respond
> to this.

What I mean is they would put out press releases which were logically
self consistent because someone who cared about truth and logic had
written it.  Instead we get press releases which are written to the
standard corporate mindset: deny, obfuscate, presume public is stupid
and has no memory, etc.

> >However, from
> >Lucky's comments on the cryptography list:
> >
> >: After watching the NSAKEY talk at the Crypto rump session [name
> >: elided], by his own account at the time the person ultimately
> >: responsible for CAPI at Microsoft, told a group that even he had not
> >: know about the second key. 
> 
> CROCK

Eh?  The above quoted person was Lucky, who is a reliable source, and
was at the rump session, and heard it first hand.

> >it appears BAL was not aware of the second key.  So the evidence to me
> >indicates that it is NSA's key, and Microsoft does not want to admit
> >it because it makes for bad PR.  Or that Microsoft is doing a poor job
> >of in it's press releases!
> 
> Occam. Use Occam.  Nobody's fucking using Occam.  Anyway my back channel
> indicates it is a Microsoft key.

So you claim to have inside knowledge that it is a Microsoft key.
Another anonymous person recently claimed it was an NSA key.  Lucky
thinks it is NSA, as do I.  BAL says he didn't know about the key.
(Unless I misunderstood Lucky and the 2nd key was the 2nd key *other
than the primary microsoft key* which others are calling the third
key -- the one microsoft claims is a testing key.)

We'll never know -- unless someone in Microsoft in the know tells.

Adam


home help back first fref pref prev next nref lref last post